How do I push a public repo with private submodules to Heroku without compromising my password?

Question

I have a public repo (that I'd like to keep public), but with submodules for private repos. I deploy to Heroku (which is a flexible point - I'm more than happy to consider other PaaS's if it will resolve this issue) and I've been running into problems pushing my submodules - the error message looks like this.

Heroku gives you a way to add private module dependencies, but that involves putting my password in a plain text .gitmodules file, which obviously isn't a great thing to do, especially for a public repo.

Short of symlinking those private repos to directories within my project - which I will probably do if there is no other sensible solution - what else can I possibly do to (a) keep my public repo public, (b) keep my private submodules private, and (c) not expose my private repo password in my public repo?

Answer 1

No need to embed the username and password into the repository URL.

You can encrypt all the different credentials into one ~/.netrc.gpg, and declare a credential helper that will make git find the right credentials for the right repos.

git config --local credential.helper "netrc -f /path/to/.netrc.gpg -v"

See "Is there a way to skip password typing when using https:// github".
As I mention in "Configure Git clients, like GitHub for Windows, to not ask for authentication", this even is compatible with the recent two-factor authentication of GitHub.